Supreme Court: Morrisons not liable for actions of rogue employee

The Supreme Court has overturned the previous court decisions in the Morrisons case. The Court’s decision, issued today, says that the employee’s activities in this case were not sufficiently connected with his employment to make Morrisons vicariously liable for the employee’s unauthorised actions, in this case, motivated by a personal vendetta against the company.

The court did not totally exclude vicarious liability.

Rohan Massey, Partner at Ropes & Gray said: “It should be noted that this does not mean employers are freed from liability obligations to affected individuals in all cases. The facts of this case are unusual, an employee with right to payroll data to perform his job taking a copy of the data and using it in an unauthorised manner, in this case by offering it to the national news media for publication. There are many other circumstances in which a personal data breach will lead to the unauthorised disclosure of large amounts of personal data and the potential class compensation claim that will follow.”

Privacy and cybersecurity partner at Hogan Lovells, Nicola Fulford, said: "The Supreme Court's decision will be welcomed by companies, as they now know they are unlikely to be liable for damages following the deliberate act of a rogue employee where the disclosure is not within the "field of activities" assigned to that employee. However, the Court did go on to indicate that employers may, in principle, still be vicariously liable for breaches of data protection legislation where their employees are data controllers in their own right. Companies must continue to ensure their systems and processes for securing their data are robust, even more so given the increased risks of breaches we are seeing during the COVID-19 pandemic."

See: The Supreme Court - WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent)

We will publish a full analysis of this case in the next issue of PL&B UK Report.